Thunderbird:Supported authentication methods
Mozilla 1.7 has support for GSSAPI authentication for HTTP, and thus supports kerberos. It would be good to have GSSAPI auth for IMAP (and LDAP) in TB. Is the support there? What needs to be developed and tested? I'll try to gather relevant bugs and references to source code here.
- IMAP/GSSAPI in thunderbird 1.5?
- IMAP/GSSAPI implemented?
- Request for HTTP/GSSAPI auth (implemented in 1.7)
- Request for LDAP/GSSAPI auth
- Request for SOCKS5/GSSAPI
TB supports negotiation of authentication method via IMAP, though I'm not sure which methods it supports of MD5, crypt, GSSAPI etc.
I guess this is similar to IMAP auth. negotiation.
- RFC 2222 - SASL Specification, section 7.2 describes SASL-GSSAPI
- RFC 4752 - updated SASL GSSAPI spec - describes use of SASL with GSSAPI/KRB5 and GSSAPI/SPNEGO mechanisms.
Thunderbird 1.5 beta has support for SASL/GSSAPI support. The client must first have a valid Kerberos ticket and the server must also support SASL/GSSAPI authentication in order to succeed. UW IMAP Server has support for SASL/GSSAPI, as does the Dovecot system.
NTLM and SPNEGO
GSSAPI authentication, either with SPNEGO tokens or with GSSAPI Kerberos V5 tokens, is attemtped if the server responds to the initial page request with a message that requests authentication and includes the "Auth: Negotiate" HTTP Header line. The client must have access to a valid Kerberos ticket or it won't even attempt to send the exchange. On Windows, NTLM auth may be attempted in the absence of valid Kerberos credentials.
See some details here:
- RFC 2478 - Original SPNEGO specification (broken and outdated as of Fall 2005)
- RFC 4178 - (coming soon) official SPNEGO specification.
- Configure GSSAPI auth for Mozilla and Apache (on Solaris) - also describes IIS and IE configuration.